We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Night of the Living Botnets: How Hackers Use the Internet of Things to Command Zombies and Disrupt Web Services

Last month, the Internet’s infrastructure was impacted by a series of disruptions, causing major online services such as Netflix, Twitter, PayPal, Amazon, and Spotify to be inaccessible for many users across the country and around the world. The attacks targeted Dyn — a company that helps Internet users connect to websites. The attacks came in three waves, and each wave directing a large amount of traffic to websites supported by Dyn in an effort to knock the website offline. This type of attack is known as a distributed denial of service, commonly referred to as a Distributed Denial of Service (DDoS) attack. The attacks were focused on a single company; but, the disruptions affected a very large portion of the Internet’s most popular social media, online payment, and digital media streaming services.

The DDoS attacks appear to have been facilitated with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders. IoT devices are physical devices embedded with electronics and software that enable the device to collect and exchange data via the Internet. Because of their ability to exchange data and connect to networks, hackers often find ways to turn these devices into an army of “zombie bots” to utilize each device’s processing power and data collection to infiltrate and disrupt. These devices are effectively turned into zombies in the sense that they now follow the directions of whichever user has commandeered them.

With respect to October’s attacks, computer security firms have concluded that the attack involved Mirari, a type of IoT malware that was used in an attack on the Brian Krebs blog, “Krebs on Security,” in September. More concerning, however, is that at the end of September 2016, the hacker responsible for the Krebs attack released the source code for Mirari, which effectively allows anyone to build their own DDoS attack army. This open disclosure of malware source code requires businesses and companies to pay attention to the vulnerabilities present in the IoT devices they produce or use.

Mirari crawls the Internet for IoT devices protected by minimal security features (such as factory-default usernames and passwords) and then commandeers the devices in attacks that direct web traffic at an online target until it can no longer accommodate legitimate visitors or users. In other words, an entire company’s product line of IoT devices can be transformed into a legion of zombies capable of attacking and disrupting web services. For businesses, this means denial of service to customers, and drastic inefficiency.

The lesson here is that security features for IoT devices need to be drastically improved. IoT devices currently have very lax security features. For example, many IoT security features are reduced to a default password and are incapable of receiving security updates to patch documented flaws and vulnerabilities. Hackers are not typing these passwords themselves; instead they utilize programs to scan the entirety of the Internet seeking vulnerable servers with open ports. Each hackable device, IoT or otherwise, shortens the time required to conduct this search because the commandeered device lends more power to the effort. And once hacked, any data collected by the device can be accessed by the intruder.

At the end of the day, producers of IoT devices need to pay serious attention to inherent security flaws and find ways to diminish vulnerabilities by incorporating customizable security features (such as biometric access or dual-layer authentication), and allowing for security updates to be downloaded and utilized for these devices. For businesses that use IoT devices in the workplace to increase efficiency, serious attention needs to be paid to ensure that administrative, technical, and physical safeguards are in place to protect the data collected and stored on these devices and to thwart transformation into a zombie device commandeered by an unknown intruder.

The Internet of Things has permeated our society through smart appliances, wearables, and the growing investment in smart cities. This technology certainly increases efficiency and collects valuable data; such benefits are a double-edged sword when hackers (often hobbyists challenging themselves to test their skills) are able to transform these devices into zombies capable of exercising the hacker’s will. At the very least, companies first need to ask themselves whether certain data should even be accessible by IoT-enabled devices. And if so, they would be wise to thoroughly understand the security features (or lack thereof) of these devices, and take measures to constantly improve them.